Russian hackers stole federal government emails during Microsoft cyberattack, CISA warns

New reports indicate there may be more to the January attack on Microsoft by Russian hackers than the tech giant let on. According to the Cybersecurity and Infrastructure Security Agency (CISA), the hackers popularly known as Midnight Blizzard or Cozy Bear were able to steal sensitive data including authentication details after compromising Microsoft’s email system.

The breach, initially reported last month, allowed the hackers to access email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft. The compromised data is now being exploited in attempts to gain unauthorized access to other systems, posing significant security risks.

In response, CISA has issued Emergency Directive ED 24-02, mandating federal agencies to assess the content of exfiltrated emails, reset compromised credentials, and strengthen security measures for privileged Microsoft Azure accounts.

Agencies are required to provide status updates on remediation efforts, with deadlines set for April 8 and May 1. This will be followed by weekly progress reports until completion.

Microsoft has reportedly agreed to provide all affected agencies with metadata regarding exfiltrated emails that contain credentials. It will also supply CISA with metadata for all exfiltrated federal agency correspondence, upon the request of the National Cyber Investigative Joint Task Force, which is led by the FBI.

The tech giant has also noted a surge in intrusion attempts by Midnight Blizzard, including password-spraying attacks, following the breach.

This latest incident compounds Microsoft's challenges in maintaining robust cybersecurity measures and transparent disclosure practices. Critics, including cybersecurity expert Amit Yoran, have criticized the company's handling of security incidents, citing implications for national security and commercial clients alike.

"Unfortunately it's not surprising to learn that Midnight Blizzard's intrusion campaign escalated after initially being discovered. Given Microsoft's consistent track record of partial disclosure, misleading statements, and downplaying security incidents, it was only a matter of when the other shoe would drop," the chairman and CEO of Tenable said.

CISA has said it will deliver a comprehensive report by September 1 to the Secretary of Homeland Security and the Director of the Office of Management and Budget, outlining the status of remediation efforts and highlighting lingering vulnerabilities.